ISACA CISM – Domain 03 – Information Security Program Development part 14

106. Compliance Monitoring and Enforcement Part2

So as we talk about compliance monitoring and enforcement, one of the things I think I was trying to get to is the standards. Compliance, those are the boundaries of options for your systems, processes and actions that are within your policy. Really if you think about it, if I have a policy for vendor a’s operating system, whatever that might be, server or whatever the case is, well it really should be the same policy for the same systems throughout the organization. Now within that policy we may have some maybe slightly different criteria depending on the criticality and sensitivity of the resource. But we shouldn’t say that Windows Server A doesn’t need a firewall but Windows Server B does. Well I mean if it’s good for one, it should be good for the others and quite technically should be on all of them. Resolution needs to be thought about of what do you do if you have non compliance issues?

Because like I said, if you’re out of compliance you’re going to be increasing the risk to an organization. And how do we know we’re not in compliance? Well, I said that already. Monitoring should be able to recognize non compliance and that non compliance should be dealt with in a very timely manner. So that means we have to have compliance enforcement. That’s an ongoing set of activities that help fulfill the information security and other standards. And it doesn’t have to be the extreme that you’re going to fire somebody. Maybe just one of the things you’re going to say, okay, what’s my activity? My activity is going to be education. I want to educate whoever may be responsible for being out of compliance so they know what those standards are. And of course the more education means, hopefully even a better security system.

107. Assessment of Risk and Impact Part1

Now, I talked about doing assessments and that they should be done with some frequency and it’s the assessment of risk and impact. So the main operational responsibility for the information security manager is to manage risk to an acceptable level. Well, how do we know what the acceptable level is? Well, that usually came from a risk management study. We need to be doing vulnerability assessments. Of course, those are the weaknesses that could harm the confidentiality, integrity and availability of the organization and the organization’s data. So it’s something we should continually be monitoring again, which means actively reviewing or auditing. And remember, there’s plenty of devices out there that can do this automatically through automation by doing correlation.

And as I’ve said already, as a part of due diligence, researching the newest threats and testing to see if you’re vulnerable, you can run a variety of different vulnerability assessment programs against your network. Some are open source, some are from a for profit company. But I can just guarantee you that if you’re not doing a vulnerability assessment, somebody is doing it for you.But if that other somebody is a hacker, they’re not doing it for your benefit. Threat assessment, that’s really the technical and behavioral threats to an organization. And remember, those can evolve over time because as you add maybe new controls, new applications, new hardware devices, right then that means you have new potential threats. If you decided that your company’s local area network now needs to have two service providers.

So you can be what they call multi homed and you’ve assessed this connection, but this is the new one. Well, that’s a new attack vector. We want to be basically assessing what new threats could come in from that direction or again, it could be from internal. As I’ve said so many times before, it’s something that should be done at least annually. And that’s also part of comparing how your organization’s profile may change. And let’s face it, companies do change over time. Networks change, and their needs change over time. And as we are developing new change management, at some point that evolution may have put us at a different threat assessment, but we wouldn’t know if we haven’t done one.

108. Assessment of Risk and Impact Part2

So as you take everything I’ve just said about the assessment of risk and impact, a risk assessment is a process that we’re going to identify and evaluate the risks and the potential impact on the organization. It’s also going to be something that helps us prioritize which risks we need to deal with first. Now the business impact assessment is an exercise to determine what the impact would be if we lost access us to a resource for any time. So like I said many times, if you’re a bank and you’ve lost access to your data center, that means nobody can check their balance, nobody can withdraw money. How critical is that to your company’s well being financially and longevity wise and that’s what a BIA would try to help determine.

And so if you think about it, risk assessment may have helped prioritize and said, yeah, we’re really concerned about that data center and then we add to it that we say, well let’s do this little exercise here and find out what would happen if that data center were down. What’s the maximum tolerable outage we can survive before out of business. Now the bia can be sometimes thought of as a little bit of a costly exercise. So you can also look at it from a less costly non as intense research. With this resource dependency, it is kind of a substitute, usually less costly, but still the goal is trying to determine what is the impact that the loss of a resource might have to your company.

109. Outsourcing and Service Providers

Another issue we have to look at is are we outsourcing, outsourcing our security or outsourcing our network to another service provider? Which is not a bad thing. It’s just that something we have to consider. That may be a solution that a third party is doing security services or our It services. I used to do a lot of work with hospitals back in around the turn of the century, does that sound right? Back around the year 2000. For whatever reason, in that year before and year after span, a lot of my work was hospitals. I just keep seeming to go from different companies to different companies. But nonetheless, that hospital had their own It staff. And this company in Texas decided that. They said, hey, look, you know what? Fire all your people in It. We’ll hire them. So they still have jobs. They’ll work for us, and we’ll get you all new equipment and just charge you a little bit more money than you would have paid by paying them directly.

And so what happens was they got new equipment, they had the same employees, and so nobody moved. And financially, that hospital might have paid a little bit more money as kind of a lease on the new equipment, but they got better equipment, they had better controls.And of course, the employees worked for this other company, so they took care of training and everything else. So what I’m saying is most your security requirements are still the same, whether they’re working directly for you or outsourced. And they should still be considered a part of the Is management. And as I said, usually that decision is based on economics. Now, there are some concerns about outsourcing.

Number one, as you may have people who are going to lose some of their essential skills, you won’t have as your organization as much visibility into the security process because that’s being done by the third party. The third party may have new remote access, could introduce new attack vectors, or like I was talking about up here with the hospital, very well may have been introducing new types of equipment. You also have to worry about the viability of the third party. What if they go out of business? Then you’d be kind of in trouble, wouldn’t you? And potentially you could get poor service or maybe even some unexpected costs, depending on the contracts and who’s paying attention. And of course, remember, you are allowing a third party access into your company, which means that they potentially have access to your very private or secret information.

110. Cloud Computing Part1

The whole world is excited about the cloud. Some people are saying, I’m not sure what the cloud is. There are many different types of cloud computing, by the way. I’ll talk about a couple of them, but it does make it difficult to define. Now NIST gave a definition. They said it’s a model for enabling convenient OnDemand network access to a shared pool of configurable resources. Now, there are advantages of going to the cloud. Number one, you’re basically leasing equipment, so your annual costs probably are going to go down. Cloud services generally are scalable. When you think of a cloud service, talk about software as a service or whatever the case may be. They’re going to have some virtual host, and that virtual host is going to be running a virtual machine, and maybe that’s the virtual machine that you’re using from your company.

And then as your traffic increases, these hosts notice I’m not going to get into specifics of vendors, but they can dynamically increase the number of virtual machines as your traffic demands. And then if you don’t need as much, they can take some back so they can manage resources that’s scalability. It’ll grow with you. They often take care of the backups. They often take care of the clustering, the ability to recover from an outage. So you usually have better reliability, certainly better performance. If they’re doing their job right. The biggest performance issue you might be having is on your connection through this secure tunnel to get there and of course, the agility to change as needed. And that’s kind of a great aspect.

111. Cloud Computing Part2

Now there are some security considerations with cloud computing and that is that, you know so there may be companies, not yours of course, but some that might not have given security as high importance as could as they could see. And so what they could see, I should say, is security improvements. Because if this is a small shop of 50 people and they really don’t have anybody they can say is the security manager, it might just be a kind of a loose connected set of computers networks. So maybe it’s just they just didn’t know what they should be doing for security. Hey, now they’re using the cloud. The cloud is a large organization and they know what they’re trying to do for security. So they could actually see security improvements. Now there is the risk of loss of sensitive information because you are sending your sensitive information up here into the cloud.

So what happens when you send your data from your servers, hopefully with a secure connection? That’s why I draw these little tunnels into the cloud. Well, the cloud is going to store it on their storage networks, but they may also have employees who are up to no good. Maybe they’re going to do something bad with your data. Or maybe if you’re not very good with the secure connection, you could have somebody out here as a hacker trying to come after that. The location of the data can be a concern as well. Again, the location usually is great, but let’s say that I’m on the road and now I’m over in the Asia Pacific and I try to connect in here, but connections aren’t supported. So that means the fact that the location of the data is somewhere I know it’s supposed to be, I might not be accessible. Or if you lost your connection, usually this is across an internet connection. If you’ve lost that connectivity, then you also have been basically put into an outage.

112. Cloud Computing Part3

Cloud computing can be thought of as a service models. You have infrastructure as a service, you have platform as a service and then you have software as a service. So let’s talk about that. So infrastructure may be dealing with using the cloud just for storage. Now, any of you who have used any of the free email programs, your Hotmails, Yahoos, gmails and XYZ email or whatever’s out there, you’ve all heard about the cloud and the cloud storage and sure, just put your files up there, they’ll be ready for you wherever you want to. They have maybe the ability to deploy and run arbitrary software for you, which could be applications and the rest.

Also, if you have any customer created or acquired applications, that would be where your platform as a service might be helpful because they could provide the platform that runs that software for you. And then of course, software as a service, that would basically be your applications. I mean, one of the big ones that we see these days is Microsoft offering their Office products on the web. So you don’t have to download and install Word or Excel. You can run Word and Excel from your desktop, but it’s really being housed in the cloud. Now, as far as the deployment model, you can make your own internal cloud. We’d call that a private cloud. It could be a public cloud like some of the other services.

For the most part, a cloud is going to be virtual machines. And whether you’re running the virtual machines server or host, again, whether VMware or HyperV or whatever you’re using, if it’s inside of your company, it’s a private cloud. If it’s one that you’re subscribing to, it’s usually considered a public cloud. A community cloud could be one that several maybe I have different doctor offices, but they’re independent offices, but they all need kind of the same types of VR service. So they’re all using it kind of as a community. Maybe they’re all going in together on the cost and the price and then a hybrid cloud could be any combination. It could be a combination of public cloud, private cloud, community cloud. Again, it’s just a matter of how it’s being used. As far as the deployment.

113. Integration with IT Processes

Finally, we’ll take a look at this idea of integration with It processes, and basically that’s where the information Security manager is ensuring that the Is program interfaces with other organizational assurance functions. Like I said, if HR is really big on making sure employee files are secure, then we want to make sure we’re interfacing with them correctly. It should be an ongoing bidirectional communication between departments so that we both agree on what’s security should be. We also should integrate change management with aspects of security that could be easily an upgrade to a new patch. Upgrade to an operating system could be the implementation of new hardware. But again, it should all be integrated together.

114. Domain 03 Review

Well, as you can see, the goal of our domain here was a big focus on the information security program. We started by having an overview of what that meant and started talking about what it takes to have an effective development of the information security program. We talked about those development concepts and the involvement of the information security manager. From there we looked at the scope and the charter of the information security programs development, talked about some of those development objectives and then talked about defining the Information security program’s development roadmap and how we needed a lot of different information things like the risk assessment and the gap analysis to help us out with that.

We looked at what resources are available for this information security program and then from that point with the development, we then started talking about the actual implementation of that security program, understanding the information, the infrastructures and the architectures that we had to deal with, especially with some of the increasing complexity of those. We looked at your physical and environmental controls, talked about the integration into the business process, and also some of the development metrics that we can use for monitoring how things are moving as far as the development and of course, through the implementation.

• Category: Uncategorized